Hardware VPN

The Ultimate Hardware VPN Buyer's Guide

No time? Get the PDF sent to you via email.

What will you find in this guide?

In general, the use cases for hardware VPNs can be broken down into a few different categories. Within each category there will be a few different considerations you might want to ponder when selecting the right virtual private network (VPN) for your needs.

 

This guide will go into detail into the considerations you need to review when selecting a hardware VPN for all of the following use cases:

  • Choosing a consumer or personal hardware VPN router
  • Choosing an enterprise hardware VPN solution
  • Choosing a government or military-grade hardware VPN
  • Choosing a hardware VPN for use in an IoT deployment

 

You’ll learn what features you should review and what requirements you should have of your chosen hardware VPN in each case. This guide will be your “right-hand person” as you execute your search for the perfect hardware VPN for your unique needs.



Table of contents
Getting started

Need a little primer on hardware VPNs before jumping into the selection guide? No problem!

If you like, you can get started with an introduction into hardware VPNs and some common FAQs first with our article: The Definition of Hardware VPN in 100 Words or Less [FAQs].

If you are still weighing your options between a hardware and software VPN technology, you can start by perusing the following resources:

And, if you still want additional guidance, we are here to help! Our team of experts has configured hundreds of solutions for organizations from throughout the globe. Let us help you make security simple. Get in touch with us to ask questions or get help brainstorming your architecture.

Choosing a consumer or personal hardware VPN router

You’ll find plenty of consumer grade wireless gateways to be found across the web. You can search Amazon, Kickstarter or IndieGoGo and find quite a few available options. These are primarily built for home use to serve as a firewall for a home WiFi network.

In most cases, solutions like this focus on staying small in size, to maintain portability. Because there are a wide variety of home users, many of whom are less technical, so you won’t see many of the advanced security features on settings on these devices.

Some of the most important features you’ll want to review when comparing personal VPNs are detailed below.

 

Size and form factor

In general, most consumer grade hardware VPN routers are small in size. What is important to note is the sacrifices that come with the small size. Typically, if a solution is smaller in form factor, you’ll find that it can protect fewer devices at one time and may have lower throughput or higher latency. So you’ll want to ensure that you take a look at those metrics as well, to be certain you aren’t losing functionality you need.

 

WiFi capability

For home use, one of the most important features you’ll want is WiFi capability. Your VPN router and firewall should support both wired and wireless connections. The more devices it can protect, the better. For a base standard, we usually suggest looking for the ability to cover up to 10 devices at a time (given that you’ll want to support multiple laptops, smartphones and TVs in your house at once).

 

Throughput

There are quite a few factors that can ultimately affect VPN speed ranging from encryption methods to server locations and routing algorithms. In general, you should look for a hardware VPN router that provides greater than 50 mbps of VPN throughput in in-line (ethernet to ethernet) mode.

 

Compatibility

Ideally you should look for a hardware VPN solution that requires no software installation on end user devices. Solutions like this provide ultimate protection against compatibility concerns and help to ensure that there are no additional security issues related to patches or updates.

In instances like this, because no software is required on the end user devices, there is no concern about which versions of applications or operating systems are running on those devices. With a software-based VPN solution, there are a whole lot of those types of requirements to ensure the VPN can work correctly in the environment.

 

Portability

An often overlooked feature for home users is the portability of the solution. Because most home VPN routers are smaller, they can be considered portable, but many of them need a wired connection to the open internet to work.

This is where ultra-portable solutions come in handy. You can take solutions like the GoSilent hardware VPN pictured below anywhere and use them to securely connect even from places like coffee shops and hotels to protect against captive portals.

All it requires is a connection to the user device, and it is capable of connecting over any public WiFi network.

 

Choosing an enterprise hardware VPN solution

Enterprise organizations solving for remote access have a whole host of different requirements than a home user might have. They not only have to worry about the end users connecting through the VPN, they also have to worry about centralized management of that VPN across a large user group and they have a large network to keep protected.

As such, we will break the considerations you’ll need to work through into those two categories below.

 

Management concerns

Ease of management

Many hardware VPN server management systems are notoriously difficult to use, requiring almost complete control through a command line interface rather than a user-friendly graphical user interface (GUI).

When evaluating hardware VPNs, you should make sure to look for a simpler control interface than a complex command line control environment.

Ideally, you’ll want the ability to easily deploy and control the VPN server. The more complex the setup and management of your VPN server, the more time you’ll have to spend managing it and the higher the risk of misconfiguration or error.

Look for a solution that makes it simple.

 

Important management features

There are a few key features that many enterprise IT teams will need to ensure their VPN solution satisfies, including:

  • Auditing: your solution will need to provide and maintain a detailed audit trail for forensic purposes.
  • Log Shipping: in order to aid disaster recovery efforts, a solution which provides log shipping will be important. 
  • Monitoring: your solution will need to provide administrators complete visibility into all activity by all users.

 

Software and environmental compatibility

You’ll want to look for a solution that disrupts your current environment as little as possible. Looking for environment agnostic hardware VPN solutions where centralized management runs as a virtual server is a safe bet.

For instance, our GoSilent VPN server is a virtual machine appliance, meaning it is agnostic of your existing central network environment, operating systems or applications.

 

Initial set-up and deployment

Another commonly overlooked factor when selecting a VPN solution is the amount of effort it takes for the IT team to get it off the ground. The COVID pandemic has highlighted this problem very clearly; IT teams have had to figure out how to launch a full-scale work-from-home solution while not going into the office themselves.

In addition to the concern for compatibility above, ensuring you select a solution that runs as a virtual server will help make this simpler.

Outfitting your network and users for secure access can also be accomplished much more efficiently and easily with a hardware-based VPN compared to a software solution.

As an example, doing this with Archon’s GoSilent Cube and Virtual Server involves the following steps:

  1. Set up the virtual server on your enterprise network. This can be set up and completed in as little as 10 minutes.
  2. Provide each of your users with a GoSilent Cube that allows their corporate, or personal devices if BYOD, (ex. laptops, desktops, smart phones and/or tablets) to connect securely over the open internet to your internal network.
  3. Users connect GoSilent Cube to their devices (with no setup required for a simple, plug-and-play solution that even non-technical users can deploy in minutes), login and go!

 

Third party validation

One of the best things you can do to ensure your chosen solution will meet your security needs is to look for a hardware VPN provider that has gotten third party validation of their encryption and overall security posture.

In this case, you should look for the best third party validation available. You can choose to look at solutions that are NIAP Approved, CSfC Certified, or are FIPS compliant. This means that the government itself has fully reviewed the product, as well as tested and vetted the security measures of the hardware VPN and its encryption.

Solutions which have achieved those levels of certification have been approved for use on up to Top Secret level data, meaning your organization can trust their protection for whatever level of security you need.

 

Quantum resistance

Depending upon the type of data your organization sends, you may also need to consider if a quantum resistant VPN is something you need.

One of the biggest concerns amongst organizations like the Department of Defense, financial institutions and healthcare providers is the fact that information harvested and stored today could potentially be decrypted in the future.

If you are transmitting encrypted information today with an algorithm that could be broken by a quantum computer, it would be possible for malicious actors to intercept that information, store it in its encrypted form, and save it for a future date.

Once a quantum computer is built that has the speed and processing power capable of breaking that algorithm, it can be used to decrypt and access any information that was previously stored.

So, essentially, you should be concerned about using quantum-resistant cryptography if you have sensitive information that would still be a problem if it was discovered and released in roughly 20 to 30 years.

This is why the government, specifically the Department of Defense, is concerned about employing quantum-resistant cryptography today. Much of the classified information that needs to be protected today will still be classified in 30 years, and could potentially still do a lot of harm if released 30 years down the line.

Another prime example is related to healthcare. Intercepting encrypted medical records today could mean the wide release of personal health information protected by HIPAA in the future.

While 30 years may feel like it is far away, the release of nearly all the information you are working to protect today is a big concern, even when the threat is that far into the future.

If this is a concern for your organization, you’ll want to ensure that your chosen VPN solution uses cryptography that is quantum resistant.

 

End user concerns

Ease of use and training

Your goal should be to locate a solution that requires absolutely no training at all. Yes, you read that right. It is rare, but not impossible, to find a hardware VPN solution that is so simple for end users that they will require no training whatsoever.

The best place to start with this is VPN configuration requirements. Take our GoSilent Cube hardware VPN client for instance. Because there is nothing to configure on a GoSilent, there is nothing to misconfigure. It is as simple as plugging the GoSilent Cube into the end user device (or connecting the two over the GoSilent Cube's LAN). That’s it. 

As a real-world example, a client of ours shipped GoSilent cubes to all of their employees during the COVID-19 pandemic (so no in-person training was even possible). Their employees were able to self-provision the Cubes in minutes, on their own and without the need to install or configure any software or VPN service, in the comfort of their homes.

 

Size and form factor

Most enterprise hardware VPN solutions are typical rack appliances that are large and bulky.

In general, you will find that you have to sacrifice certain things when shrinking down the size of your VPN client. Typically, if a solution is smaller in form factor, you’ll find that it can protect fewer devices at one time and may have lower throughput or higher latency.

There aren’t many solutions that can provide the performance of an “enterprise grade” remote access solution that are also small enough to be portable. As far as we are aware, Archon’s GoSilent Cube is the only product on the market that offers the performance it does at a size small enough to fit in the palm of your hand.

The majority of hardware VPNs that have the same performance and throughput are at least four to six times the size, require two to three times the amount of power, and weigh two to three times as much as a GoSilent mobile VPN.

 

Captive portal protection

Particularly if you are using your solution to protect remote or traveling workers, you’ll want to ensure that it provides protection against captive portals.

When connecting from locations with free guest Wi-Fi access, users will often be siphoned through a Captive Portal, requiring personal information for access and approval of terms and conditions, before granting network access or providing an IP address.

In practice, many users regularly choose to use unsecured public Wi-Fi (including networks with captive portals) rather than their own cellular data providers in order to save money on wireless access, making it highly likely that remote employees will at some point choose to use a captive portal to gain access to the internet.

Captive portals provide an easy point of entry for malicious actors looking to gain access to an individual user’s device and, through that, the larger corporate network.

Captive portal isolation involves the use of a combination firewall and VPN hardware with a built in, stateless sandboxed web browser.

You’ll want to ensure that your chosen hardware VPN solution offers this level of protection.

 

BYOD Allowance

Typically, BYOD has been avoided by organizations that take security very seriously, ranging from large enterprises to government agencies and everything in between, because of their inability to manage and control operating systems, software patches and updates, and device usage.

Unfortunately, for most organizations, in the face of the COVID-19 pandemic, the size of the remote workforce has increased far beyond the number of employer-provided devices that are available, making it critical that organizations put in place clear Bring Your Own Device (BYOD) policies.

The COVID-19 crisis has forced many of these organizations, including government agencies, to take a fresh look at BYOD, and the options available to bolster the security of data when it is shared with employees using personal devices.

Ideally, in this environment, and looking to the future, you’ll want to select a solution that is BYOD-friendly.

The primary security concerns enterprise organizations have with BYOD and VPNs are:

  1. Malware on the device: Existing malware that may be present on a user's personal device may be able to jump through the VPN into the corporate network itself, which could wreak havoc. It also may be able to steal VPN keys and grant bad actors unauthorized access to your network from other locations.
  2. Installation, set-up and configuration: Typically there is a lot of training required to launch a VPN solution, and the centralized requirements for the IT staff are often very high.
  3. Split tunneling: One of the primary concerns with remote access VPN usage is the ability to enable split tunneling, which allows a remote VPN user to access the internet through a public or unsecured network at the same time that they are allowed to access the corporate network through the VPN. You don’t want to have to rely on users to know how to enable and disable this.
  4. Interoperability: The reality is that you, as the employer, have little to no control over what applications or devices individual employees use for BYOD. This creates all kinds of interoperability concerns where your solution must be able to work agnostic of software, OS or device.

Ultimately, you will want to look for a solution that mitigates all of these concerns, making BYOD not only possible, but easy.

 

Storage of sensitive data on end user devices

This is a concern for both BYOD and non-BYOD deployments. In the case of BYOD, it is definitely more of a problem, but in both cases the possibility of device theft or loss makes it a real concern to have any corporate information stored on that device.

You can always put in place policies that tell users they can’t do this, and work to rely more heavily on cloud-based applications which store data in the cloud. But in practice, both of those are incredibly limiting to you as an organization.

Instead, you may consider a solution that combines virtual desktop infrastructure (VDI) with a VPN to provide protection without limitations.

A VDI allows end users to work remotely through a virtualized environment that lives on your central server. End user devices connect via the VDI to virtual machines that you have set up on your server, allowing users to execute work as if they are on your internal network. 

With VDI, no data is stored on the end user device. Instead, the user can simply see what is on the screen of the virtual machine and interact with it, but not store data from it. VDI supports a range of end user devices, from laptops and desktops to tablets or mobile devices.

Choosing a government or military-grade hardware VPN

VPNs for use in government agencies or military communications have to adhere to an entirely different level of protection than most commercial solutions. If you find yourself in this category, you’ll have all the concerns in the enterprise section plus a host of different compliance requirements your chosen VPN solution will have to meet.

 

NIAP requirements

NIAP certification is most applicable to the Department of Defense (DoD), the Intelligence Community, and any DoD contractors or affiliates. Its primary purpose is to certify commercial technology or products which will be used to handle sensitive and classified data. 

Government agencies that are required to have NIAP certified products will simply need to ensure that the technology they choose for their solutions is NIAP certified. 

As a DoD agency or contractor, selecting technology components that are on the Defense Information Systems Agency (DISA) Unified Capabilities Approved Products List (DoD UC-APL) or the NIAP Product Compliant List is the best way to ensure your final solution is given authority to operate.

For hardware VPNs in particular, you’ll need to ensure that your chosen solution is approved under the VPN Gateway Protection Profile. Any certified devices in the category will have been audited to ensure they adhere to the specific set of compliance requirements that must be met for all VPN Gateways.

Each certified device will have a security target, or a set of security requirements and specifications to be used as the basis for evaluation, that you can review publicly on the NIAP website

 

CSfC requirements

NSA’s Commercial Solutions for Classified (CSfC) program offers an alternative to Type 1 encryption products for government agencies and military users.

The technology within NSA Type 1 and CSfC is different, as are the manufacturers of this technology: the NSA itself or trusted systems integrators in the former case, and third-party commercial vendors in the latter.

However, the purpose of both is the same: helping the U.S. government to protect classified data.

The CSfC Program seeks to use the production volume of commercial vendors in order to provide alternatives to existing methods of achieving secure transmission of classified data. It allows you to more efficiently meet your needs and provides some benefits over government-off-the-shelf solutions.

One of the most important requirements of all CSfC solutions, that applies specifically to VPN usage, is the need for dual tunnel encryption. The all CSfC Capability packages require the need to protect classified data using multiple encrypted tunnels to protect data using a specified set of encryption protocols. 

 

Dual encryption

Using two nested, independent encryption tunnels helps to protect the confidentiality and integrity of data as it moves through an untrusted network.

Using a double VPN tunnel provides an extra layer of protection and redundancy for classified data traveling across mobile networks. If a malicious actor manages to hack through the outer tunnel, the data remains secure thanks to the additional encryption provided by the VPN’s inner tunnel.

The double layer of encryption helps to prevent data spillage, a security incident where classified information is exposed to an unauthorized system or individual. This means that CSfC VPN solutions can transport extremely sensitive information, all the way up to TS (Top Secret).

This means that any CSfC deployment for mobile access needs two VPNs working in concert. In practice, this has been incredibly hard to achieve. Most VPN solutions were never meant to work at the same time as another VPN, so they rarely play nicely with each other.

In this case, using a dedicated hardware VPN device for your outer encryption tunnel which introduces no compatibility issues, like Archon’s GoSilent Cube allows you to select any CSfC approved software VPN for your inner encryption tunnel with no issues.

Learn more about how to build CSfC approved architectures with two VPNs with our in-depth article “CSfC Mobile Access Capability Package Architecture Examples”.

 

Retransmission devices

In CSfC Mobile Access deployments, retransmission devices (RDs) are used to protect communications across untrusted networks by isolating connectivity to untrusted networks and providing a dedicated firewall between the components of your CSfC solution and components that control communication across untrusted networks like Wi-Fi, LTE, 4G or 5G networks.

The retransmission device will provide an internal connection to your end user devices, and on the external side, can be connected to any type of medium like cellular, Wi-Fi, SATCOM, or Ethernet to gain network access (i.e. black network).

However, you do not need a retransmission device if you are using a dedicated outer encryption component, like Archon’s GoSilent hardware VPN.

A hardware-based VPN that isolates the CSfC end user devices from the networks it is transmitting through serves the same purpose as a retransmission device, and can provide the same layer of security between the components of your CSfC solution and untrusted networks like Wi-Fi, LTE, 4G or 5G networks.

Choosing the right hardware VPN instead of a software VPN for your outer encryption tunnel means that the endpoint devices never actually touch the networks they connect to. For example, Archon's GoSilent device provides a dedicated VPN firewall between the device it is connected to and the outside world. No other devices on the same network can even see that the device itself exists. Instead, their view ends at the GoSilent Cube.

Essentially, choosing the right hardware VPN for your outer encryption tunnel eliminates the need to have an RD in your architecture, but affords all the same abilities to connect to a wide variety of untrusted networks.

Learn more about the use of retransmission devices with our in-depth article “CSfC Mobile Access Capability Package: What is a Retransmission Device?”.

 

Choosing a hardware VPN for use in an IoT deployment

Organizations implementing IoT and industrial IoT deployments have all kinds of unique considerations they must take into account when choosing how to architect their VPN communications.

The key concerns they have to think about include:

  • Number of endpoints: Securing a single endpoint is relatively straightforward, but when it comes to scaling security for a large number of devices, and considering the costs associated with doing so, securing device communication suddenly becomes a very complex conversation.
  • Architecture options: With each different IoT goal or deployment type, there are usually many different ways an organization could choose to approach building and securing that particular initiative. 
  • Manned vs. unmanned systems: With IoT, you may be dealing with endpoints that can be either manned or unmanned. Each type comes with unique challenges.
  • Consequences of a breach: The consequences of a breach can vary significantly across different use cases, but in some cases can be incredibly dire and involve life and death concerns.
  • Cost and ROI: All of the above different challenges really roll up into one big and final challenge, which is weighing the cost of your initiative with the ROI of executing and the ongoing risks of allowing connectivity.

 

Architecture options

In general there are two primary ways to architect an IoT deployment. The architecture you choose will go a long way in helping you to then select the right VPN solution to secure communications.

 

Dedicated Gateway Architecture

In this architecture, you’ll use a dedicated gateway as an aggregation point for all of the data coming from your endpoint devices. Each endpoint speaks to the gateway, the gateway aggregates and preprocesses all information, and then transmits it to a central source.

The centralized gateway architecture is a good fit (and typically lower cost option) if you have a IoT sensors with a small physical footprint, low power consumption, clustered deployments, periodic transmissions, etc. This architecture also allows for edge computing capabilities on the IoT gateway like data normalization, correlation, AI/ML, etc.

If you are using this type of architecture, consider using a hardware VPN in place as your IoT gateway that allows connections to a large number of devices. You’ll want to select a hardware VPN that does all of the following:

  • No specialized software is required on the gateway device itself.
  • No software compatibility concerns: No software should be required on the gateway device, thus creating no concern about which versions of applications or operating systems are running.
  • Firewalling and isolation: Select a hardware VPN can act as a firewall between the gateway and the outside world. No other devices on the same network as the gateway should be able to see that the endpoint devices communicating with it even exist.
  • Greater control over where traffic is sent: Choose a hardware-based VPN that can be configured to only allow traffic to flow to a single endpoint. Meaning, when used as a gateway, it can ensure that any and all traffic can only go to the central network.
  • Hardware VPNs in general should offer a solution for securing wireless communications at the physical layer.

 

Individual Device Communication Architecture

In this type of architecture, the endpoint IoT devices communicate directly with the centralized server or cloud data warehouse, rather than using a gateway to gather and aggregate communications.

This architecture is a fit for more distributed deployments but usually comes with larger costs than the centralized gateway architecture.

Depending on your cost structure, and the usage of the endpoint devices themselves using a portable, low power hardware VPN client device to protect all communications from the devices is an option. In this case, you’ll want to select a hardware VPN that does all of the following:

  • Power: Your solution should be able to be powered with a standard 2.0 USB port or battery pack and has low power requirements.
  • Connectivity: Choose a hardware VPN that allows a secure connection over any network type (cellular, satellite, etc.) so that you are not limited in how your devices can communicate immediately or in the future.
  • Size and form factor: You’ll want a solution that is lightweight and unobtrusive to fit into the design of your device.
  • Firewalling and isolation: Select a VPN appliance that can act as a hardware firewall between the device and the outside world. No other devices on the same network as the device should be able to see that it even exists.
Final Thoughts

There are so many different considerations to take into account, and we know it can be overwhelming. The first step is simply being informed on your options, which you now are!

Next up, if you are looking to implement a large scale solution, contacting an expert may be the right choice. There are plenty of knowledgeable experts available to help build complex solutions. 

CSfC Trusted Integrators are available to help with CSfC solutions. There are quite a few IoT integrators that help build enterprise remote access and industrial IoT solutions for clients. And our team of technical experts is always available to field your questions as well. 

Just know that you don’t have to be alone as you begin your hardware VPN implementation journey, and there are a wealth of experts to help you build the right infrastructure and solutions.




Contact us.

Our team of experts has configured hundreds of solutions for organizations throughout the globe. Let us help you make security simple.